Ricochet has been an invaluable partner in the development of our Drupal sites. Working with Casey, he lent a critical eye to our requirements to understand the feature set and objectives. During development, he was able to propose alternative implementations or creative solutions which met the requirements in an elegant and efficient manner. All the while, Casey maintained perspective on the user experience, to ensure that the product was not only bug free, but also easy to use an navigate. Furthermore, I could rely on Casey to keep me informed of issues and status with timely updates.
—Casey C., Future US

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

Wed, 2022-12-07 11:12 — Anonymous (not verified)

Project: Entity RegistrationDate: 2022-December-07Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=7.1.0 <7.1.9Description: This module enables you to create registration entities related to nodes.
The module doesn't sufficiently restrict update access to a user's own registrations.
This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.Solution: Install the latest version:

If you use the Entity Registration module for Drupal 7.x, upgrade to Entity Registration 7.x-1.9 release

Note: Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade.Reported By:

Joël Pittet

Fixed By:

Coordinated By:

James Gilliland of the Drupal Security Team

Reported at: 20 November 2022

Path to article https://www.drupal.org/sa-contrib-2022-063

Search form

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063